MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7873cf1b6200ab714ca6d6ff929fc4192d91a1cfc6d685cc734d8f1decb691d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7873cf1b6200ab714ca6d6ff929fc4192d91a1cfc6d685cc734d8f1decb691d
SHA3-384 hash: cafc1a5680f8dd8550a8b0167102da88ebc0a3e1263b5dd00442d31afa02d69f791e34f27fbe05927898aaf968011afe
SHA1 hash: b77372ce8b77d944dae3809ec53eaab7106e4d5d
MD5 hash: 0b55f16a4c239e8069c07176e1a707d7
humanhash: music-pluto-uranus-robin
File name:0B55F16A4C239E8069C07176E1A707D7.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:606'904 bytes
First seen:2021-08-29 20:10:54 UTC
Last seen:2021-08-29 20:59:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:1RbFHtzi34+cwBhlafEh6SQBMRewjXH6+7RL:LbbO4JMZ+B8H9
Threatray 137 similar samples on MalwareBazaar
TLSH T11CD4C0E0E841715AEC00D9F6D90FFFC94497AFD604266BC6E13973523AB2F458E1A8D8
dhash icon f1d8b02286cae4f0 (1 x AsyncRAT, 1 x RedLineStealer)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
45.144.154.150:4782

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.144.154.150:4782 https://threatfox.abuse.ch/ioc/202028/

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0B55F16A4C239E8069C07176E1A707D7.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-29 20:13:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/835e9bf0-bfff-4649-83ad-d2ed3508f95f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183301/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46873776.4159.18001.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Running batch commands
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b108dbe6-3cdd-45d1-af90-33fd9caced9b
Result
Threat name:
AsyncRAT BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841113
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected BitCoin Miner
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 473544 Sample: Z7D9AHBBJz.exe Startdate: 29/08/2021 Architecture: WINDOWS Score: 100 141 whatsmyipaddress.biz 2->141 163 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->163 165 Multi AV Scanner detection for submitted file 2->165 167 Yara detected BitCoin Miner 2->167 169 10 other signatures 2->169 15 Z7D9AHBBJz.exe 3 8 2->15         started        18 system32.exe 2->18         started        signatures3 process4 file5 133 C:\Users\user\AppData\...\Z7D9AHBBJz.exe, PE32 15->133 dropped 135 C:\Users\user\...\Rrbtxtmuudtbezdiminnerr.exe, PE32+ 15->135 dropped 137 C:\Users\...\Z7D9AHBBJz.exe:Zone.Identifier, ASCII 15->137 dropped 139 2 other malicious files 15->139 dropped 21 wscript.exe 1 15->21         started        24 Z7D9AHBBJz.exe 2 5 15->24         started        161 Adds a directory exclusion to Windows Defender 18->161 28 cmd.exe 18->28         started        signatures6 process7 dnsIp8 143 192.168.2.1 unknown unknown 21->143 30 Rrbtxtmuudtbezdiminnerr.exe 5 21->30         started        145 alemdar571.duckdns.org 45.144.154.150, 49734, 49736, 59 CMCSUS Germany 24->145 127 C:\Users\user\AppData\Local\Temp\kxrwhi.exe, PE32+ 24->127 dropped 129 C:\Users\user\AppData\Local\Temp\obesyr.exe, PE32 24->129 dropped 179 Multi AV Scanner detection for dropped file 24->179 181 Tries to harvest and steal browser information (history, passwords, etc) 24->181 33 cmd.exe 24->33         started        183 Adds a directory exclusion to Windows Defender 28->183 35 conhost.exe 28->35         started        37 powershell.exe 28->37         started        39 powershell.exe 28->39         started        41 powershell.exe 28->41         started        file9 signatures10 process11 signatures12 189 Multi AV Scanner detection for dropped file 30->189 191 Machine Learning detection for dropped file 30->191 193 Adds a directory exclusion to Windows Defender 30->193 43 cmd.exe 30->43         started        45 cmd.exe 1 30->45         started        195 Suspicious powershell command line found 33->195 197 Bypasses PowerShell execution policy 33->197 48 powershell.exe 33->48         started        50 conhost.exe 33->50         started        process13 signatures14 52 svchost32.exe 43->52         started        56 conhost.exe 43->56         started        185 Uses schtasks.exe or at.exe to add and modify task schedules 45->185 187 Adds a directory exclusion to Windows Defender 45->187 58 powershell.exe 45->58         started        60 conhost.exe 45->60         started        62 powershell.exe 45->62         started        66 2 other processes 45->66 64 kxrwhi.exe 48->64         started        process15 file16 115 C:\Windows\System32\system32.exe, PE32+ 52->115 dropped 171 Drops executables to the windows directory (C:\Windows) and starts them 52->171 68 system32.exe 52->68         started        72 cmd.exe 52->72         started        74 cmd.exe 52->74         started        117 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 64->117 dropped 119 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 64->119 dropped 121 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 64->121 dropped 123 12 other files (none is malicious) 64->123 dropped 173 May check the online IP address of the machine 64->173 76 kxrwhi.exe 64->76         started        signatures17 process18 dnsIp19 125 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 68->125 dropped 175 Adds a directory exclusion to Windows Defender 68->175 79 cmd.exe 68->79         started        81 cmd.exe 68->81         started        84 conhost.exe 72->84         started        86 schtasks.exe 72->86         started        88 conhost.exe 74->88         started        90 choice.exe 74->90         started        147 elb097307-934924932.us-east-1.elb.amazonaws.com 54.235.91.189 AMAZON-AESUS United States 76->147 149 nagano-19599.herokussl.com 76->149 151 api.ipify.org 76->151 177 Tries to harvest and steal browser information (history, passwords, etc) 76->177 file20 signatures21 process22 signatures23 92 svchost32.exe 79->92         started        97 conhost.exe 79->97         started        159 Adds a directory exclusion to Windows Defender 81->159 99 conhost.exe 81->99         started        101 powershell.exe 81->101         started        103 powershell.exe 81->103         started        105 2 other processes 81->105 process24 dnsIp25 153 sanctam.net 172.94.15.211, 58899 VOXILITYGB United States 92->153 155 github.com 140.82.121.3 GITHUBUS United States 92->155 157 raw.githubusercontent.com 185.199.108.133 FASTLYUS Netherlands 92->157 131 C:\Windows\System32\...\sihost32.exe, PE32+ 92->131 dropped 199 Drops executables to the windows directory (C:\Windows) and starts them 92->199 107 cmd.exe 92->107         started        109 cmd.exe 92->109         started        111 sihost32.exe 92->111         started        file26 signatures27 process28 process29 113 conhost.exe 107->113         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7873cf1b6200ab714ca6d6ff929fc4192d91a1cfc6d685cc734d8f1decb691d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 01:12:00 UTC
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=66dtz4nweaflofgknvx7skp4igjnsgq47rwwqxghgtmpdxwlneoq._file
Verdict:
unknown
Similar samples:
2dfdc495160b8492466dfe6108702ea44b5a7ff1b8d439d6a6dc9af9359a0838
AsyncRAT
4569c2ca16175dd869475526af97004f47e2918edb583043b609fceb86b35161
AsyncRAT
51bf9ff43b1aedfebfcf03c71e5bba10a6704b2cf4503e5bbe680221652cc458
AsyncRAT
5d459a560ce1e32853c637997806cf8080c8d8f02d0c136057a0344d543b2532
AsyncRAT
d99ac72301d4d4c55ee0c6e33ad4e4551bac90b71f80515eea1a3dfe426abf23
AsyncRAT
eef5d903a7e1eb2b6ecd93316efad2bf00def8fd4466dae0157615726a46ba4b
AsyncRAT
f2dc381b529cbc75c03ca8bf1886b0ee6b1e2622f8918a27a876c50889e2ae7e
AsyncRAT
ff1ddb96f4984d4ed65016ca7814432d51a08fe090fae4907e85926469e880da
AsyncRAT
+ 127 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat pyinstaller rat spyware stealer suricata
Link:
https://tria.ge/reports/210829-cthkkzy7q2/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Async RAT payload
AsyncRat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Unpacked files
SH256 hash:
07ec4698147acd650678c880ccb1921a647da8e77bfce3f28421fab5fb911327
MD5 hash:
c910040252c0657d06eb91e252246022
SHA1 hash:
db94c145ec6396ce67300f94f8e0aee0a966ca47
Link:
https://www.unpac.me/results/5d7b198c-53f9-4a92-b660-eb2e79a1c919/
SH256 hash:
c118a74e392ebf7099f8081b477edb123652d8f6c59aa60f7db50d328d690e4f
MD5 hash:
9613255901006f852265de3f9fa055b9
SHA1 hash:
cad3a13f8bb3f4329fc43ca8d0ebe6dc544d23af
Link:
https://www.unpac.me/results/5d7b198c-53f9-4a92-b660-eb2e79a1c919/
SH256 hash:
e9f4dfd133818d4eff2462dc89d998a7942430440cc4409fde0745a3ae3f5965
MD5 hash:
fbb2538c8e00841f9fbb5ca21eb8f6df
SHA1 hash:
101df48f05454ef3d3213d8769c7b36334d970d6
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/5d7b198c-53f9-4a92-b660-eb2e79a1c919/
SH256 hash:
f7873cf1b6200ab714ca6d6ff929fc4192d91a1cfc6d685cc734d8f1decb691d
MD5 hash:
0b55f16a4c239e8069c07176e1a707d7
SHA1 hash:
b77372ce8b77d944dae3809ec53eaab7106e4d5d
Link:
https://www.unpac.me/results/5d7b198c-53f9-4a92-b660-eb2e79a1c919/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7873cf1b6200ab714ca6d6ff929fc4192d91a1cfc6d685cc734d8f1decb691d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183301/

Comments